Description

Security researcher Gregory Fleischer reported
that when an Adobe Flash file is loaded via
the view-source: scheme, the Flash plugin misinterprets
the origin of the content as localhost, leading to two specific
vulnerabilities:

The Flash file can bypass restrictions imposed by the
crossdomain.xml mechanism and initiate HTTP requests to arbitrary
third-party sites. This vulnerability could be used by an attacker
to perform CSRF attacks against these sites.

The Flash file, being treated as a local resource, can read and
write Local Shared Objects on a user's machine. This vulnerability
could be used by an attacker to place cookie-like objects on a
user's computer and track them across multiple sites.

Additonally, Fleischer reported that the jar: protocol
could be used to bypass restrictions normally preventing content
loaded via view-source: from being rendered.

Thunderbird shares the browser engine with Firefox and
could be vulnerable if plugins were to be enabled in mail. This is not
the default setting and we strongly discourage users from enabling
plugins in mail.